-1.webp?max-h=442&w=760&fit=crop&crop=faces,center)
New York's Attorney General Letitia James has recently announced securing $500,000 from Noblr, an auto insurance company, as a consequence of a data breach that compromised the personal information of over 80,000 New Yorkers. Noblr fell victim to scammers who exploited vulnerabilities in its online automobile insurance quoting applications to access sensitive data, such as driver’s license numbers and birth dates. This data was later utilized to file fraudulent unemployment claims during the peak of the COVID-19 pandemic, as per the Attorney General's office.
In addition to the fine imposed on Noblr, AG James's office has also taken actions against other companies like GEICO and Travelers, with total recoveries related to cybersecurity failures now totaling $5.6 million. In a statement obtained by the Attorney General's office, AG James emphasized “Auto insurance companies offer drivers protection during emergencies, but they must also protect their personal information from hackers and scammers.”
The investigation by the Office of the Attorney General revealed that Noblr's online insurance quoting tools were noticeably deficient in data protection. The flaw not only included exposing plaintext driver’s license numbers on the company's website backend and in generated PDFs but also a failure to prevent the entry of personal information from New York residents—despite Noblr not offering insurance products within the state.
Following the discovery of the vulnerability, which was not until January 2021, AG James's office found that Noblr did not adequately monitor its website traffic. This contributed to not only failing to rapidly detect an ongoing attack but also hampered the differentiation between legitimate customer activity and the malicious endeavors of cyber thieves. According to the Attorney General's official statement, the company is now mandated to significantly enhance its web application defenses and establish a comprehensive security program.
Noblr is charged with implementing various security improvements, including developing a data inventory with proper safeguards and maintaining robust authentication protocols for private information access. Furthermore, it must now uphold a reliable system for logging and monitoring potential suspicious activities within its systems. The resolution of this matter was the effort of an extensive team from the Bureau of Internet and Technology within the Division for Economic Justice.
